1.

Are you looking for information only to determine an acquisition strategy for this upcoming procurement through
this RFI or do you plan on short listed who would receive the RFP based on responses you receive for this RFI?

This is just an information gathering exercise to help us develop requirements, policies, and/or
acquisition strategy for these services. We do not plan on short-listing those who receive any future
solicitation for Cloud services based on responses to this RFI. The future solicitation will be posted
publically on FBO and the House site.

2. In reference to RFI Section 2.2: As this will be an electronic submission, will the HIR permit the inclusion of
electronic attachments within individual responses to allow for a more comprehensive explanation of the detailed
cloud options? Please amend the RFI to clarify this issue.

No.

3. Based on the RFI, all content will be moving to a public Cloud Service Provider (CSP). Are there any specific cloud
security requirements other than FedRAMP that will apply to the applications that are deployed on the CSP that
do not apply to them currently?

A risk assessment is conducted by the CAO/HIR/ISSO as a final step before authorization is

recommended consists of research needed to determine the presence of security controls and any
testing to validate control effectiveness. The House may use documentation of security controls as
provided by the Federal Risk Management Authorization Program (FEDRAMP), but a risk assessment is
still required. The risk assessment includes:
Testing of the existence and effectiveness of security controls, if applicable.
Identify known weaknesses in the solution that may affect the confidentiality, integrity, and
availability of House data.
Generate recommendations to augment the security of the solution.
Identify the residual risk of the solution based on available information.

4. If yes to question 3, will the nature of the content impact the application of the other security requirements?

The nature of the impact is dependent on the type of data stored or how it is accessible.

5. Would the vendor be expected to move applications that have individual support contracts? If so will the
integration with the current support be negotiated one by one or jointly as part of the new RFP?

No.

6. When applications have license agreements that are not conducive with migration to a cloud model, will the
House of Representatives be willing to re-negotiate those agreements or look at them as sunk cost?

Unsure as it depends on the cost of license on a product by product basis.

7. The RFP describes having an Active Active environment. Would the House of Representatives be open to
defining high availability and COOP as a component of a service level agreement and tie it to application, PaaS, or
IaaS as needed?
 Yes.

8. Does the House of Representatives have a target architecture(s) and application framework(s) that it would like to
be the standard for all transformational efforts and development effort? Examples (OS Windows, CMS-Drupal)

Currently CAO Web Systems is invested in Linux and Drupal, but we are potentially open to new
technologies and frameworks that would coincide with the House's Web needs.

9. CSP vendor loc-in represents cost on the back end for migrating out of a CSP environment. Is the client
considering this as a factor as it looks at CSPs, makes architectural decisions, and evaluating total cost?

Yes.

10. Is it a consideration for the House of Representatives vendors that develop, manage, and host the site with the
technology of their choice to be migrated to a standard environment and standard offering of architectural
options when feasible?

The offering for the Vendors is still being defined. The House is open to suggestions via this RFI for
possible options to consider.

11. Is the House of Representatives looking for a Hybrid CSP environment of options supporting IaaS, PaaS, and MSP in
one offering?

The ideal would be to have all of these (IaaS, PaaS, and MSP) in one Cloud provider offering to ease the
management burden of the contract. However, the House is open to considering IaaS, PaaS, or MSP
offerings via multiple Cloud providers as well.

12. Is the House of Representatives looking for an option that included more than one CSP?

Please see the response for question 11 above.

13. In reference to RFI Section 3.2.10: As a solution can be engineered and priced for all levels of availability, what are
the high profile availability requirements for the internal websites as well as the external (public facing)
websites?

This RFI is focused on external websites only. We envision near Active-Active or as close to near Active-
Active availability as possible.

14. Please provide additional information on the 100 additional MLC sites such the O/S (Windows, Linux, etc.),
platform (Joomla, ColdFusion, etc.), and expected authentication mechanism that will be required by HIR for the
vendors currently supporting these MLC sites. This information is extremely important for understanding the
various integration points that might be required.
 There is a variety; however, it is easily summarized as current versions of Windows server and Linux
environments and platforms.

15. Please describe the current in-house Cloud architecture? So that the best suggestions can be made for a smooth
migration.

The House infrastructure currently provides for two models. The first being the Drupal platform and the
second being the non-Drupal platform. The House Drupal platform hosts in-House HIR developed House
office sites as well as those developed by vendors that choose to use the Drupal platform. This enables
Web Systems staff and authorized web vendors to host Drupal websites that have many common
features to the custom Drupal profiles that Web Systems has provided.

The non-Drupal platform is for those vendors who do not develop Drupal sites. These vendors are
provided individual virtualized environments with varying operating systems and technologies. Vendors
manage their own virtual servers - which provides maximum flexibility in their architecture decisions but
also requires compliance with additional auditing and security specifications.

16. Are the current Drupal systems including the underlying infrastructure managed by HIR employees or a contractor
and if the latter, who is the contractor?

It is managed by internal HIR staff.

17. Does HIR have a strategic vision for the management of the Cloud systems in regards to what extent the present
HIR employees or contractor will be involved? Is HIR looking for self-service through a brokerage tool or custom
Web site?

Yes, the strategic vision is to leverage the Cloud as much as possible to minimize our operational
burdens. This may be something that is gradual and happens over time. We are open to brokerage;
however, we are leaning towards custom web design.

18. Will the Managed Service Provider be required to have an existing FedRAMP certification or can this be obtained
after the contract is awarded? If the later who will be burdened with the cost of the certification the contractor or
HIR?

Our expectation is the MSP will be FedRamp certified. However, we reserve the right to reconsider this
position is circumstances dictate. HIR does not envision fronting the costs of the certification.

19. Does the HIR site for the OIG not contain any IT audits, or are these reports not disclosed to the public?

We dont believe this question is relevant to the RFI.

20. What is the current level of expertise for securely managing both the Drupal and non-Drupal sites at HIR? Is there
a strategic approach to maintain and enhance these skill levels?

HIR maintains trained and qualified staff to support all technology areas.
21. Does HIR envision the use of a ticketing system that spans both the 350 Drupal and 100 external vendor sites in
scope?

We dont believe this question is relevant to the RFI.

22. Does HIR envision outsourcing all of the IT Security for the sites to the Cloud Managed Service Provider?

No. However, we are open to vendor suggestions on security best practices on the Cloud.

23. In reference to RFI Section 3.2.9: Are there any support or compatibility considerations with existing or remaining
infrastructure that an organization should consider? How will our licensing models likely change?

We cannot say as yet as it depends on the Cloud service model with which we proceed.

24. Would the Government provide architecture documentation for applicable existing infrastructure? Would the
Government provide the existing software license models?

No, not for this RFI.

25. Could the government please explain what the nature of the internal Cloud architecture that supports the Drupal
platform. Specifically, what are the cloud interface, the virtualization platform, and the key features that must be
reproduced or extended in the new platform?

Current virtualization platform is VMWare specific. The requirements are for demonstrated ability to
fully administer and manage the VM environment to include on-call support.

26. Could the government please explain what the nature of the separate virtualized environment on the House
infrastructure that supports the non-Drupal applications, or is it the same as the architecture supporting the
Drupal platform?

Please see the response to question 15.

27. What platform level commitments (operating system, database, messaging systems, etc.) has HIR made, and what
flexibility exists in substituting cloud services for platform components?

Operating systems answered in response 44. Basically, the major platform components are Linux
(RedHat), MySql, Apache, PHP, SOLR, Windows, SQL Server. Depending on the situation, Web Systems is
open to changing architectures if it would simplify or significantly enhance the feature set or
maintenance of our stack.

28. Can a cover page and table of contents be provided/submitted without counting against the 12-page maximum?

Yes.

29. What is the Drupal platform currently residing on? What will be the technology requirements for Drupal 8? What
databases are being used?
 Normal LAMP stack, with a set of custom built scripts to assist with maintenance of the complicated
folder structure that holds it together. Standard Drupal 8 minimum requirements would be needed
when we move to Drupal 8.

30. What is the infrastructure platform (OS?) What is the sizing of the environment as it relates to CPU, Memory &
Storage? What, if any, virtualization technology/ies are being used? What are the IOPS requirements?

VMWare specific virtualization technologies with CPU capacity of 850 GHz (320 Processors), RAM 2 TB,
Storage 38 TB (or greater for these). For the Web infrastructure, CPU 319 GHz (120 Processors), RAM
800 GB, Storage 19 TB (or greater for these). Backup storage servers up to 8 CPUs, 16GB of memory,
multiple network connections, approximately 500Gb of web data (sharable across multiple systems),
and approximately 50Gb of application storage per system (or greater for these). This is for 'web
servers' only. The utility tier and database tiers are not included.

31. What is the current backup technology being deployed?

Please see response to question 15.

32. What is the Disaster Recover/Business Continuance plan that has been deployed? What are the RTOs & RPOs?

Due to the fact that several public facing websites are essential for communicating vital information to
the public, the RTO goal is as close to always on as possible with minimal downtime.

33. How many of the 5 multi-sites are physical? What is the bandwidth between these sites? Where are the five (5)
sites geographically located?

This question seems to be confusing a Drupal multi-site with something that refers to a geological
location. All sites are located in one geographic place.

34. Is two-factor authentication required/deployed?

We have some websites that require 2 factor authentication with future plans for 2 factor
authentication for all administration and data content.

35. Are they using any load balancers? If so, what type(s)?

Yes, however, the type does not seem relevant for RFI purposes.

36. What kinds of firewalls are deployed if any? If so, what type(s)?

Yes, however we choose not to provide the specifics at this time.

37. How are each of the 350 websites currently deployed?

If the question is asking "How do you deploy updates to individual websites on the Drupal Platform", it is
basically done via custom scripting.

38. Currently, does each site have its own VM or its own physical server?
 Each website (ex. www.membername.house.gov) is not its own VM or physical server. As for vendors, a
VM is provided.

39. Are there sub-sites within these 350 sites?

No.

40. What is the current bandwidth usage of the 350 sites if they have any diagnostics?

It averages 150-200 GB/day.

41. What has been the growth rate of the environment over the past five (5) years? What is the anticipated growth
rate over the next five (5) years?

CPU and memory has not changed significantly. As for disk growth on average it appears there is
approximately 5% growth in disk utilization per year. The growth for the utility and database servers is
not included here.

42. Are the current web servers virtualized?

Yes.

43. If so, will you provide the VMDKs for the migration?

Yes

44. What OS are the web servers running? Version? Patch?

Current versions of Linux and Windows operating systems.

45. What databases, if any, are being used?

MySQL, SQL Server.

46. Will you still provide the web server support/management or are you passing that off also?

We are open to options on the extent to which we can transfer to the cloud service provider.

47. What is the main reason for moving away from hosting the servers internally? What benefits are you hoping to
gain?

The move to the cloud is to better our business continuity and disaster recovery stance. Furthermore,
we have an internal goal of attaining as close to always on as possible for key websites and the
resiliency that the Cloud provides is essential to achieving this goal.

48. Has a budget been established? Which budget year will this project fall into?
 Yes, it is effective 2016 and beyond.

49. Please supply the list of hardware currently deployed to support this environment.

They are all HP hardware with Cisco networking.

50. Please supply a report of the environmental resources being used (power, cooling etc.).

We choose not to respond.

51. Are there any specific security standards required to govern this deployment/environment? What are they?

All security implementations should be governed by FedRamp requirements and House policy and
standards.

52. When will the migration take place and what is your target date?

We are targeting migration to occur sometime between Q4 FY16 to Q2 FY17.

53. After reading the RFI, it is not clear how the House will engage in a paying contract with the vendor. Can you
please help us understand the mechanics of this RFI?

Per Section 5 of the RFI, responses to this notice are not offers and cannot be accepted by the CAO to
form a binding/paying contract. This is strictly an information gathering exercise.

54. Is this a pay for response?

See answer to Question 53.

55. Do vendors need to have FEDramp?

See answer to Question 51.

56. Is the team willing to break up their Drupal Multi-Sites or do they wish to keep the websites as is?

Yes, this option will be considered if the solution is viable, cost effective, and reduces the management
burden.